The big bad BASH bug

This bug is horrible. It’s worse than Heartbleed, in that it affects servers that help manage huge volumes of Internet traffic. Conservatively, the impact is anywhere from 20 to 50% of global servers supporting web pages. Specifically, this issue affects web servers using GNU BASH to process traffic from the Internet. In addition, this bug covers almost all CGI-based web servers, which are generally older systems on the Internet.

This bug allows arbitrary remote code execution on a remote webserver, something that is extremely serious. Why? It allow the attacker to leverage the website in further strategic web compromises, such as watering hole attacks, against website visitors. This is precisely how many targeted attacks occur, with an exceptionally high degree of success.

What can enterprises do? The first step in this problem is to actively scan your infrastructure to identify vulnerable systems and assess overall impact. Most of the major Linux distributions have issued patches for this bug. Alternatively, switching your default shell to something other than BASH will help mitigate this issue.

We have not seen this vulnerability used in targeted attacks yet. There is a high probability that sophisticated threat groups will use this vulnerability soon. It is unknown as to whether these types of discovered vulnerabilities will escalate in the future. Finally, it’s worth noting we have seen the first attack in the wild:

However, this is not necessarily a targeted attack.

Dissecting Advanced Attacks: FireEye Labs and the 2014 DBIR

Each year, a number of reports are released on the changing state of the threat landscape and where cyber security is headed. Like our annual Advanced Threat Reports and M-Trends Reports, Verizon has released the “Data Breach Investigations Report” (DBIR), which is considered by many in the security industry as the most comprehensive guide to data breaches. This year, owing to the large number of and deep insights into cyber espionage and advanced persistent threat campaigns that we track, Verizon tapped the FireEye Labs team to contribute to the latest version of the report.

The 2014 DBIR takes a comprehensive look into all forms of attacks from the past year and, as we have always done with our investigations, newly examines the incident patterns of attacks. This type of analysis is what we like to call behavioral or contextual analysis of a breach lifecycle and is invaluable in understanding advanced threats that are not readily apparent in traditional detection methods.

To help with this initiative, FireEye Labs contributed information on several advanced attacks uncovered in 2013 that were likely driven by cyber espionage motives. Information on the individual attacks can be found here:

To view a full version of the Verizon DBIR, you can download a copy here: Also, be on the lookout for the release of our European Advanced Threat Report next week.

Operation SnowMan: DeputyDog Actor Compromises US Veterans of Foreign Wars Website

On February 11, FireEye identified a zero-day exploit (CVE-2014-0322)  being served up from the U.S. Veterans of Foreign Wars’ website (vfw[.]org). We believe the attack is a strategic Web compromise targeting American military personnel amid a paralyzing snowstorm at the U.S. Capitol in the days leading up to the Presidents Day holiday weekend. Based on infrastructure overlaps and tradecraft similarities, we believe the actors behind this campaign are associated with two previously identified campaigns (Operation DeputyDog and Operation Ephemeral Hydra).

This blog post examines the vulnerability and associated attacks, which we have dubbed “Operation SnowMan.”

Continue reading »

Darkleech Says Hello

There’s never a dull day at FireEye — even on the weekends. At approximately 7:29 AM PDT today, we were notified by several security researchers that a fireeye[.]com/careers HR link was inadvertently serving up a drive-by download exploit. Our internal security, IT operations team, and third-party partners quickly researched and discovered that the malicious code was not hosted directly on any FireEye web infrastructure, but rather, it was hosted on a third-party advertiser (aka “malvertisement”) that was linked via one of our third-party web services. The team then responded and immediately removed links to the malicious code in conjunction with our partners in order to protect our website users. More information on this third-party compromise (of video.js) can be found here.

Continue reading »

Poison Ivy: Assessing Damage and Extracting Intelligence

Today, our research team is publishing a report on the Poison Ivy family of remote access tools (RATs) along with a package of tools created to work as a balm of sorts — naturally, we’re calling the package “Calamine.”

In an era of sophisticated cyber attacks, you might wonder why we’re even bothering with this well-known, downright ancient pest. As we explain in the paper, dismissing Poison Ivy could be a costly mistake.

RATs may well be the hacker’s equivalent of training wheels, as they are often regarded in IT security circles. But despite their reputation as a software toy for novice “script kiddies,” RATs remain a linchpin of many sophisticated cyber attacks and are used by numerous threat actors. Continue reading »

YAJ0: Yet Another Java Zero-Day

Through our Malware Protection Cloud (MPC), we detected a brand new Java zero-day vulnerability that was used to attack multiple customers. Specifically, we observed successful exploitation against browsers that have Java v1.6 Update 41 and Java v1.7 Update 15 installed.

Not like other popular Java vulnerabilities in which security manager can be disabled easily, this vulnerability leads to arbitrary memory read and write in JVM process. After triggering the vulnerability, exploit is looking for the memory which holds JVM internal data structure like if security manager is enabled or not, and then overwrites the chunk of memory as zero. Upon successful exploitation, it will download a McRAT executable (MD5: b6c8ede9e2153f2a1e650dfa05b59b99 as svchost.jpg) from same server hosting the JAR file and then execute it.

Continue reading »

Operation Beebus

FireEye discovered an APT campaign consistently targeting companies in the aerospace and defense industries. The campaign has been in effect for sometime now.

Infection Vector

We have seen this campaign use both email and drive-by downloads as a means of infecting end users. The threat actor has consistently used attachment names of documents/white papers released by well-known companies. The malicious email attachment exploits some common vulnerabilities in PDF and DOC files.

Continue reading »

CFR Watering Hole Attack Details

[Updated on December 30, 2012] On December 27, we received reports that the Council on Foreign Relations (CFR) website was compromised and hosting malicious content on or around 2:00 PM EST on Wednesday, December 26. Through our Malware Protection Cloud, we can confirm that the website was compromised
at that time, but we can also confirm that the CFR website was also hosting the malicious content as early as Friday, December 21—right before a major U.S. holiday.

Continue reading »

Christmas Comes Early For Hackers: Email Attack Trends From 3Q2012

In our first half (1H) of 2012 Advanced Threat Report, we looked at various factors related to email-based attack trends, including exploit vector type (e.g., link/attachment), domain frequency, and attachment polymorphism. With the holiday season starting back up, we’ll refocus our attention on all the corresponding threat data collected quarter-to-date for 2012. To be clear, these statistics reflect the number of malicious attachments seen after initial SPAM and anti-virus filtering across our customer deployments, who share intelligence back to us.

Continue reading »

Flamer/sKyWIper Malware: Analysis

As widely reported elsewhere, the Flamer/sKyWIper malware has largely been attributed to yet another unknown APT actor, which appears to target various organizations in the Middle East. Its size is massive, with the core components written in Lua and modular support for other languages (e.g., C/C++). Compared to Stuxnet and Duqu, it’s likely this malware framework was authored and developed in parallel, with a broader goal: comprehensive intelligence gathering.

Rather than speculate on attribution or repeat the initial analysis provided by CrySyS Lab, this blog post will focus on additional indicators of compromise that have yet to be documented elsewhere. These indicators are exceptionally useful for confirming whether or not this malware is active on a suspect system.

Continue reading »